By waving their mobile phone at a checkout terminal, consumers can make payments without using a credit card. This mobile payment service has been introduced in countries like Japan, but it is just beginning to take off in the United States. Google Wallet is currently available on phones sold by Sprint. Verizon Wireless, AT&T and T-Mobile USA previously jointly created an NFC mobile payment company called Isis. The company will launch a product to compete with Google Wallet, but the exact launch time has not been announced yet.
The flaw in Google Wallet was discovered by Joshua Rubin, senior engineer at Internet security firm zvelo. Rubin developed a cracking application called Wallet Cracker, which he claims can obtain the four-digit PIN required to open the Google Wallet app. He demonstrated the specific cracking process on his blog via video.
Rubin said that he had informed Google of his findings, and Google responded that they would verify the issue and agreed to quickly resolve it. Jay Nancarrow, a Google spokesperson, stated in an email that "We are working to fix this issue." Meanwhile, he questioned Rubin's investigation, saying "zvelo's research was conducted on their own phone where they disabled the security mechanism that protects Google Wallet by gaining root access."
Nancarrow also advised people not to install Google Wallet on devices with obtained root access, and to set up a lock screen password for an additional layer of protection. A representative from Sprint, Shang Yicai, did not respond to the matter.
Google Wallet partners also include Citigroup and payment network MasterCard. Emily Collins, a spokesperson for Citigroup, stated that information about Citigroup cardholders is not stored in Google Wallet, and cardholders are not responsible for unauthorized transactions.